@rigour-labs/core 2.22.0 → 3.0.0

package/src/gates/ast-handlers/python.ts

@@ -1,145 +0,0 @@
-import { execa } from 'execa';
-import { ASTHandler, ASTHandlerContext } from './base.js';
-import { Failure } from '../../types/index.js';
-import path from 'path';
-import { fileURLToPath } from 'url';
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-
-interface SecurityIssue {
-    type: string;
-    issue: string;
-    name: string;
-    lineno: number;
-    message: string;
-}
-
-interface MetricItem {
-    type: string;
-    name: string;
-    complexity?: number;
-    parameters?: number;
-    methods?: number;
-    lineno: number;
-}
-
-interface PythonAnalysisResult {
-    metrics?: MetricItem[];
-    security?: SecurityIssue[];
-    error?: string;
-}
-
-export class PythonHandler extends ASTHandler {
-    supports(file: string): boolean {
-        return /\.py$/.test(file);
-    }
-
-    async run(context: ASTHandlerContext): Promise<Failure[]> {
-        const failures: Failure[] = [];
-        const scriptPath = path.join(__dirname, 'python_parser.py');
-
-        // Dynamic command detection for cross-platform support (Mac/Linux usually python3, Windows usually python)
-        let pythonCmd = 'python3';
-        try {
-            await execa('python3', ['--version']);
-        } catch (e) {
-            try {
-                await execa('python', ['--version']);
-                pythonCmd = 'python';
-            } catch (e2) {
-                // Both missing - handled by main catch
-            }
-        }
-
-        try {
-            const { stdout } = await execa(pythonCmd, [scriptPath], {
-                input: context.content,
-                cwd: context.cwd
-            });
-
-            const result: PythonAnalysisResult = JSON.parse(stdout);
-            if (result.error) return [];
-
-            const astConfig = this.config.ast || {};
-            const safetyConfig = this.config.safety || {};
-            const maxComplexity = astConfig.complexity || 10;
-            const maxParams = astConfig.max_params || 5;
-            const maxMethods = astConfig.max_methods || 10;
-
-            // Process metrics (complexity, params, methods)
-            const metrics = result.metrics || [];
-            for (const item of metrics) {
-                if (item.type === 'function') {
-                    if (item.parameters && item.parameters > maxParams) {
-                        failures.push({
-                            id: 'AST_MAX_PARAMS',
-                            title: `Function '${item.name}' has ${item.parameters} parameters (max: ${maxParams})`,
-                            details: `High parameter count detected in ${context.file} at line ${item.lineno}`,
-                            files: [context.file],
-                            hint: `Reduce number of parameters or use an options object.`
-                        });
-                    }
-                    if (item.complexity && item.complexity > maxComplexity) {
-                        failures.push({
-                            id: 'AST_COMPLEXITY',
-                            title: `Function '${item.name}' has complexity of ${item.complexity} (max: ${maxComplexity})`,
-                            details: `High complexity detected in ${context.file} at line ${item.lineno}`,
-                            files: [context.file],
-                            hint: `Refactor '${item.name}' into smaller, more focused functions.`
-                        });
-                    }
-                } else if (item.type === 'class') {
-                    if (item.methods && item.methods > maxMethods) {
-                        failures.push({
-                            id: 'AST_MAX_METHODS',
-                            title: `Class '${item.name}' has ${item.methods} methods (max: ${maxMethods})`,
-                            details: `God Object pattern detected in ${context.file} at line ${item.lineno}`,
-                            files: [context.file],
-                            hint: `Split class '${item.name}' into smaller services.`
-                        });
-                    }
-                }
-            }
-
-            // Process security issues (CSRF, hardcoded secrets, SQL injection, etc.)
-            const securityIssues = result.security || [];
-            for (const issue of securityIssues) {
-                const issueIdMap: Record<string, string> = {
-                    'hardcoded_secret': 'SECURITY_HARDCODED_SECRET',
-                    'csrf_disabled': 'SECURITY_CSRF_DISABLED',
-                    'code_injection': 'SECURITY_CODE_INJECTION',
-                    'insecure_deserialization': 'SECURITY_INSECURE_DESERIALIZATION',
-                    'command_injection': 'SECURITY_COMMAND_INJECTION',
-                    'sql_injection': 'SECURITY_SQL_INJECTION'
-                };
-
-                const id = issueIdMap[issue.issue] || 'SECURITY_ISSUE';
-
-                failures.push({
-                    id,
-                    title: issue.message,
-                    details: `Security issue in ${context.file} at line ${issue.lineno}: ${issue.name}`,
-                    files: [context.file],
-                    hint: this.getSecurityHint(issue.issue)
-                });
-            }
-
-        } catch (e: any) {
-            // If python3 is missing, we skip AST but other gates still run
-        }
-
-        return failures;
-    }
-
-    private getSecurityHint(issueType: string): string {
-        const hints: Record<string, string> = {
-            'hardcoded_secret': 'Use environment variables: os.environ.get("SECRET_KEY")',
-            'csrf_disabled': 'Enable CSRF protection for all forms handling sensitive data',
-            'code_injection': 'Avoid eval/exec. Use safer alternatives like ast.literal_eval() for data parsing',
-            'insecure_deserialization': 'Use json.loads() instead of pickle for untrusted data',
-            'command_injection': 'Use subprocess with shell=False and pass arguments as a list',
-            'sql_injection': 'Use parameterized queries: cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))'
-        };
-        return hints[issueType] || 'Review and fix the security issue.';
-    }
-}

package/src/gates/ast-handlers/python_parser.py

@@ -1,181 +0,0 @@
-import ast
-import sys
-import json
-import re
-
-class MetricsVisitor(ast.NodeVisitor):
-    def __init__(self):
-        self.metrics = []
-
-    def visit_FunctionDef(self, node):
-        self.analyze_function(node)
-        self.generic_visit(node)
-
-    def visit_AsyncFunctionDef(self, node):
-        self.analyze_function(node)
-        self.generic_visit(node)
-
-    def visit_ClassDef(self, node):
-        methods = [n for n in node.body if isinstance(n, (ast.FunctionDef, ast.AsyncFunctionDef))]
-        self.metrics.append({
-            "type": "class",
-            "name": node.name,
-            "methods": len(methods),
-            "lineno": node.lineno
-        })
-        self.generic_visit(node)
-
-    def analyze_function(self, node):
-        complexity = 1
-        for n in ast.walk(node):
-            if isinstance(n, (ast.If, ast.While, ast.For, ast.AsyncFor, ast.Try, ast.ExceptHandler, ast.With, ast.AsyncWith)):
-                complexity += 1
-            elif isinstance(n, ast.BoolOp):
-                complexity += len(n.values) - 1
-            elif isinstance(n, ast.IfExp):
-                complexity += 1
-
-        params = len(node.args.args) + len(node.args.kwonlyargs)
-        if node.args.vararg: params += 1
-        if node.args.kwarg: params += 1
-
-        self.metrics.append({
-            "type": "function",
-            "name": node.name,
-            "complexity": complexity,
-            "parameters": params,
-            "lineno": node.lineno
-        })
-
-
-class SecurityVisitor(ast.NodeVisitor):
-    """Detects security issues in Python code via AST analysis."""
-
-    def __init__(self, content):
-        self.issues = []
-        self.content = content
-        self.lines = content.split('\n')
-
-    def visit_Assign(self, node):
-        """Check for hardcoded secrets and CSRF disabled."""
-        for target in node.targets:
-            if isinstance(target, ast.Name):
-                name = target.id
-                # Check for hardcoded SECRET_KEY
-                if name == 'SECRET_KEY':
-                    if isinstance(node.value, ast.Constant) and isinstance(node.value.value, str):
-                        self.issues.append({
-                            "type": "security",
-                            "issue": "hardcoded_secret",
-                            "name": "SECRET_KEY",
-                            "lineno": node.lineno,
-                            "message": "Hardcoded SECRET_KEY detected. Use environment variables instead."
-                        })
-                # Check for hardcoded passwords/tokens
-                if name.upper() in ('PASSWORD', 'API_KEY', 'TOKEN', 'AUTH_TOKEN', 'PRIVATE_KEY', 'AWS_SECRET_KEY'):
-                    if isinstance(node.value, ast.Constant) and isinstance(node.value.value, str):
-                        self.issues.append({
-                            "type": "security",
-                            "issue": "hardcoded_secret",
-                            "name": name,
-                            "lineno": node.lineno,
-                            "message": f"Hardcoded {name} detected. Use environment variables instead."
-                        })
-                # Check for csrf = False
-                if name.lower() in ('csrf', 'csrf_enabled', 'wtf_csrf_enabled'):
-                    if isinstance(node.value, ast.Constant) and node.value.value == False:
-                        self.issues.append({
-                            "type": "security",
-                            "issue": "csrf_disabled",
-                            "name": name,
-                            "lineno": node.lineno,
-                            "message": "CSRF protection is disabled. This is a security vulnerability."
-                        })
-        self.generic_visit(node)
-
-    def visit_Call(self, node):
-        """Check for dangerous function calls."""
-        func_name = None
-        if isinstance(node.func, ast.Name):
-            func_name = node.func.id
-        elif isinstance(node.func, ast.Attribute):
-            func_name = node.func.attr
-
-        # Check for eval/exec usage
-        if func_name in ('eval', 'exec'):
-            self.issues.append({
-                "type": "security",
-                "issue": "code_injection",
-                "name": func_name,
-                "lineno": node.lineno,
-                "message": f"Use of {func_name}() detected. This can lead to code injection vulnerabilities."
-            })
-
-        # Check for pickle usage (insecure deserialization)
-        if func_name in ('loads', 'load') and isinstance(node.func, ast.Attribute):
-            if isinstance(node.func.value, ast.Name) and node.func.value.id == 'pickle':
-                self.issues.append({
-                    "type": "security",
-                    "issue": "insecure_deserialization",
-                    "name": "pickle",
-                    "lineno": node.lineno,
-                    "message": "Pickle deserialization is unsafe. Use json instead for untrusted data."
-                })
-
-        # Check for shell=True in subprocess
-        if func_name in ('run', 'call', 'Popen', 'check_output', 'check_call'):
-            for keyword in node.keywords:
-                if keyword.arg == 'shell' and isinstance(keyword.value, ast.Constant) and keyword.value.value == True:
-                    self.issues.append({
-                        "type": "security",
-                        "issue": "command_injection",
-                        "name": func_name,
-                        "lineno": node.lineno,
-                        "message": "shell=True in subprocess can lead to command injection."
-                    })
-
-        self.generic_visit(node)
-
-    def check_sql_injection(self):
-        """Check for SQL injection patterns using regex on source."""
-        sql_patterns = [
-            (r'execute\s*\(\s*["\'].*%s', 'SQL string formatting with %s'),
-            (r'execute\s*\(\s*f["\']', 'SQL f-string'),
-            (r'execute\s*\(\s*["\'].*\+', 'SQL string concatenation'),
-            (r'cursor\.execute\s*\(\s*["\'].*\.format\s*\(', 'SQL .format()'),
-        ]
-        for pattern, desc in sql_patterns:
-            for i, line in enumerate(self.lines, 1):
-                if re.search(pattern, line, re.IGNORECASE):
-                    self.issues.append({
-                        "type": "security",
-                        "issue": "sql_injection",
-                        "name": desc,
-                        "lineno": i,
-                        "message": f"Potential SQL injection: {desc}. Use parameterized queries."
-                    })
-
-
-def analyze_code(content):
-    try:
-        tree = ast.parse(content)
-
-        # Collect metrics
-        visitor = MetricsVisitor()
-        visitor.visit(tree)
-
-        # Collect security issues
-        security_visitor = SecurityVisitor(content)
-        security_visitor.visit(tree)
-        security_visitor.check_sql_injection()
-
-        return {
-            "metrics": visitor.metrics,
-            "security": security_visitor.issues
-        }
-    except Exception as e:
-        return {"error": str(e)}
-
-if __name__ == "__main__":
-    content = sys.stdin.read()
-    print(json.dumps(analyze_code(content)))

package/src/gates/ast-handlers/typescript.ts

@@ -1,264 +0,0 @@
-import ts from 'typescript';
-import { ASTHandler, ASTHandlerContext } from './base.js';
-import { Failure } from '../../types/index.js';
-import micromatch from 'micromatch';
-import path from 'path';
-
-export class TypeScriptHandler extends ASTHandler {
-    supports(file: string): boolean {
-        return /\.(ts|js|tsx|jsx)$/.test(file);
-    }
-
-    async run(context: ASTHandlerContext): Promise<Failure[]> {
-        const failures: Failure[] = [];
-        const sourceFile = ts.createSourceFile(context.file, context.content, ts.ScriptTarget.Latest, true);
-        this.analyzeSourceFile(sourceFile, context.file, failures);
-        return failures;
-    }
-
-    private analyzeSourceFile(sourceFile: ts.SourceFile, relativePath: string, failures: Failure[]) {
-        const astConfig = this.config.ast || {};
-        const stalenessConfig = (this.config as any).staleness || {};
-        const stalenessRules = stalenessConfig.rules || {};
-        const maxComplexity = astConfig.complexity || 10;
-        const maxMethods = astConfig.max_methods || 10;
-        const maxParams = astConfig.max_params || 5;
-
-        // Limit failures per file to avoid output bloat on large files
-        const MAX_FAILURES_PER_FILE = 50;
-        const fileFailureCount: Record<string, number> = {};
-
-        const addFailure = (failure: Failure): boolean => {
-            const ruleId = failure.id;
-            fileFailureCount[ruleId] = (fileFailureCount[ruleId] || 0) + 1;
-            if (fileFailureCount[ruleId] <= MAX_FAILURES_PER_FILE) {
-                failures.push(failure);
-                return true;
-            }
-            // Add summary failure once when limit is reached
-            if (fileFailureCount[ruleId] === MAX_FAILURES_PER_FILE + 1) {
-                failures.push({
-                    id: `${ruleId}_LIMIT_EXCEEDED`,
-                    title: `More than ${MAX_FAILURES_PER_FILE} ${ruleId} violations in ${relativePath}`,
-                    details: `Truncated output: showing first ${MAX_FAILURES_PER_FILE} violations. Consider fixing the root cause.`,
-                    files: [relativePath],
-                    hint: `This file has many violations. Fix them systematically or exclude the file if it's legacy code.`
-                });
-            }
-            return false;
-        };
-
-        // Helper to check if a staleness rule is enabled
-        const isRuleEnabled = (rule: string): boolean => {
-            if (!stalenessConfig.enabled) return false;
-            return stalenessRules[rule] !== false; // Enabled by default if staleness is on
-        };
-
-        const visit = (node: ts.Node) => {
-            // === STALENESS CHECKS (Rule-based) ===
-
-            // no-var: Forbid legacy 'var' keyword
-            if (isRuleEnabled('no-var') && ts.isVariableStatement(node)) {
-                const declarationList = node.declarationList;
-                // NodeFlags: Let = 1, Const = 2, None = 0 (var)
-                if ((declarationList.flags & (ts.NodeFlags.Let | ts.NodeFlags.Const)) === 0) {
-                    const line = sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1;
-                    addFailure({
-                        id: 'STALENESS_NO_VAR',
-                        title: `Stale 'var' keyword`,
-                        details: `Use 'const' or 'let' instead of 'var' in ${relativePath}:${line}`,
-                        files: [relativePath],
-                        line,
-                        hint: `Replace 'var' with 'const' (preferred) or 'let' for modern JavaScript.`
-                    });
-                }
-            }
-
-            // no-commonjs: Forbid require() in favor of import
-            if (isRuleEnabled('no-commonjs') && ts.isCallExpression(node)) {
-                if (ts.isIdentifier(node.expression) && node.expression.text === 'require') {
-                    const line = sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1;
-                    addFailure({
-                        id: 'STALENESS_NO_COMMONJS',
-                        title: `CommonJS require()`,
-                        details: `Use ES6 'import' instead of 'require()' in ${relativePath}:${line}`,
-                        files: [relativePath],
-                        line,
-                        hint: `Replace require('module') with import module from 'module'.`
-                    });
-                }
-            }
-
-            // no-arguments: Forbid 'arguments' object (use rest params)
-            if (isRuleEnabled('no-arguments') && ts.isIdentifier(node) && node.text === 'arguments') {
-                // Check if it's actually the arguments keyword and not a variable named arguments
-                const parent = node.parent;
-                if (!ts.isVariableDeclaration(parent) && !ts.isPropertyAccessExpression(parent)) {
-                    const line = sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1;
-                    addFailure({
-                        id: 'STALENESS_NO_ARGUMENTS',
-                        title: `Legacy 'arguments' object`,
-                        details: `Use rest parameters (...args) instead of 'arguments' in ${relativePath}:${line}`,
-                        files: [relativePath],
-                        line,
-                        hint: `Replace 'arguments' with rest parameters: function(...args) { }`
-                    });
-                }
-            }
-
-            // === SECURITY CHECKS (Prototype Pollution) ===
-
-            // Check for direct __proto__ access: obj.__proto__
-            if (ts.isPropertyAccessExpression(node) && ts.isIdentifier(node.name) && node.name.text === '__proto__') {
-                const line = sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1;
-                addFailure({
-                    id: 'SECURITY_PROTOTYPE_POLLUTION',
-                    title: `Direct __proto__ access`,
-                    details: `Prototype pollution vulnerability in ${relativePath}:${line}`,
-                    files: [relativePath],
-                    line,
-                    hint: `Use Object.getPrototypeOf() or Object.setPrototypeOf() instead of __proto__.`
-                });
-            }
-
-            // Check for bracket notation __proto__ access: obj["__proto__"]
-            if (ts.isElementAccessExpression(node) && ts.isStringLiteral(node.argumentExpression)) {
-                const accessKey = node.argumentExpression.text;
-                if (accessKey === '__proto__' || accessKey === 'constructor' || accessKey === 'prototype') {
-                    const line = sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1;
-                    addFailure({
-                        id: 'SECURITY_PROTOTYPE_POLLUTION',
-                        title: `Unsafe bracket notation access to '${accessKey}'`,
-                        details: `Potential prototype pollution via bracket notation in ${relativePath}:${line}`,
-                        files: [relativePath],
-                        line,
-                        hint: `Block access to '${accessKey}' property when handling user input. Use allowlist for object keys.`
-                    });
-                }
-            }
-
-            // Check for Object.assign with user-controllable input (common prototype pollution pattern)
-            if (ts.isCallExpression(node) && ts.isPropertyAccessExpression(node.expression)) {
-                const propAccess = node.expression;
-                if (ts.isIdentifier(propAccess.expression) && propAccess.expression.text === 'Object' &&
-                    ts.isIdentifier(propAccess.name) && propAccess.name.text === 'assign') {
-                    // This is Object.assign() - warn if first arg is empty object (merge pattern)
-                    if (node.arguments.length >= 2) {
-                        const firstArg = node.arguments[0];
-                        if (ts.isObjectLiteralExpression(firstArg) && firstArg.properties.length === 0) {
-                            const line = sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1;
-                            addFailure({
-                                id: 'SECURITY_PROTOTYPE_POLLUTION_MERGE',
-                                title: `Object.assign() merge pattern`,
-                                details: `Object.assign({}, ...) can propagate prototype pollution in ${relativePath}:${line}`,
-                                files: [relativePath],
-                                line,
-                                hint: `Validate and sanitize source objects before merging. Block __proto__ and constructor keys.`
-                            });
-                        }
-                    }
-                }
-            }
-
-            // === COMPLEXITY CHECKS ===
-
-            if (ts.isFunctionDeclaration(node) || ts.isMethodDeclaration(node) || ts.isArrowFunction(node)) {
-                const name = this.getNodeName(node);
-
-                if (node.parameters.length > maxParams) {
-                    addFailure({
-                        id: 'AST_MAX_PARAMS',
-                        title: `Function '${name}' has ${node.parameters.length} parameters (max: ${maxParams})`,
-                        details: `High parameter count detected in ${relativePath}`,
-                        files: [relativePath],
-                        hint: `Reduce number of parameters or use an options object.`
-                    });
-                }
-
-                let complexity = 1;
-                const countComplexity = (n: ts.Node) => {
-                    if (ts.isIfStatement(n) || ts.isCaseClause(n) || ts.isDefaultClause(n) ||
-                        ts.isForStatement(n) || ts.isForInStatement(n) || ts.isForOfStatement(n) ||
-                        ts.isWhileStatement(n) || ts.isDoStatement(n) || ts.isConditionalExpression(n)) {
-                        complexity++;
-                    }
-                    if (ts.isBinaryExpression(n)) {
-                        if (n.operatorToken.kind === ts.SyntaxKind.AmpersandAmpersandToken ||
-                            n.operatorToken.kind === ts.SyntaxKind.BarBarToken) {
-                            complexity++;
-                        }
-                    }
-                    ts.forEachChild(n, countComplexity);
-                };
-                ts.forEachChild(node, countComplexity);
-
-                if (complexity > maxComplexity) {
-                    addFailure({
-                        id: 'AST_COMPLEXITY',
-                        title: `Function '${name}' has cyclomatic complexity of ${complexity} (max: ${maxComplexity})`,
-                        details: `High complexity detected in ${relativePath}`,
-                        files: [relativePath],
-                        hint: `Refactor '${name}' into smaller, more focused functions.`
-                    });
-                }
-            }
-
-            if (ts.isClassDeclaration(node)) {
-                const name = node.name?.text || 'Anonymous Class';
-                const methods = node.members.filter(ts.isMethodDeclaration);
-
-                if (methods.length > maxMethods) {
-                    addFailure({
-                        id: 'AST_MAX_METHODS',
-                        title: `Class '${name}' has ${methods.length} methods (max: ${maxMethods})`,
-                        details: `God Object pattern detected in ${relativePath}`,
-                        files: [relativePath],
-                        hint: `Class '${name}' is becoming too large. Split it into smaller services.`
-                    });
-                }
-            }
-
-            if (ts.isImportDeclaration(node)) {
-                const importPath = (node.moduleSpecifier as ts.StringLiteral).text;
-                this.checkBoundary(importPath, relativePath, failures);
-            }
-
-            ts.forEachChild(node, visit);
-        };
-
-        ts.forEachChild(sourceFile, visit);
-    }
-
-    private checkBoundary(importPath: string, relativePath: string, failures: Failure[]) {
-        const boundaries = (this.config as any).architecture?.boundaries || [];
-        for (const rule of boundaries) {
-            if (micromatch.isMatch(relativePath, rule.from)) {
-                const resolved = importPath.startsWith('.')
-                    ? path.join(path.dirname(relativePath), importPath)
-                    : importPath;
-
-                if (rule.mode === 'deny' && micromatch.isMatch(resolved, rule.to)) {
-                    failures.push({
-                        id: 'ARCH_BOUNDARY',
-                        title: `Architectural Violation`,
-                        details: `'${relativePath}' is forbidden from importing '${importPath}' (denied by boundary rule).`,
-                        files: [relativePath],
-                        hint: `Remove this import to maintain architectural layering.`
-                    });
-                }
-            }
-        }
-    }
-
-    private getNodeName(node: ts.Node): string {
-        if (ts.isFunctionDeclaration(node) || ts.isMethodDeclaration(node)) {
-            return node.name?.getText() || 'anonymous';
-        }
-        if (ts.isArrowFunction(node)) {
-            const parent = node.parent;
-            if (ts.isVariableDeclaration(parent)) return parent.name.getText();
-            return 'anonymous arrow';
-        }
-        return 'unknown';
-    }
-}